Type Confusion Primer

DRAFT: The text below is just copied and pasted from the resources below.

Usually, when a piece of code doesn’t verify the type of object that is passed to it, and uses it blindly without type-checking, it leads to type confusion. When triggering a type confusion vulnerability, a piece of code has a reference to an object which it believes to be of type A (the API type), but really it is confused and the object is of type B (the in-memory type).

This is common in applications that exchange complex binary formats such as VM byte code (Flash), objects or structures over a local IPC mechanism (Chrome). Structures with tagged unions are good places to start auditing.

Type confusion can be very dangerous because a type is expressed as a layout of memory in the lower level implementation. Also with type confusion, wrong function pointers or data are fed into the wrong piece of code. In some circumstances this can lead to code execution.

Code Examples